Bug 454047 - SELinux is preventing libvirtd (virtd_t) "getsched" to <Unknown> (virtd_t) & (qemu_t)
Summary: SELinux is preventing libvirtd (virtd_t) "getsched" to <Unknown> (virtd_t) & ...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 9
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-07-04 05:03 UTC by Lawrence Lim
Modified: 2014-03-26 00:55 UTC (History)
4 users (show)

Fixed In Version: selinux-policy-3.3.1-78.fc9.noarch
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-08-13 04:36:04 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)
alert against virtd_t (2.52 KB, text/plain)
2008-07-04 05:03 UTC, Lawrence Lim 		no flags Details
alert to qemu_t (2.62 KB, text/plain)
2008-07-04 05:11 UTC, Lawrence Lim 		no flags Details
View All

Description Lawrence Lim 2008-07-04 05:03:11 UTC 
Description of problem:
SELinux denied access requested by libvirtd. 

Version-Release number of selected component (if applicable):
ovirt-developer-appliance-0.91-1
libvirt-0.4.4-1.fc9

How reproducible:
Always

Steps to Reproduce:
1.SELinux in enforce mode
2.virsh start developer
3.
  
Actual results:
see attached selinux log

Expected results:
no SELinux warning

Additional info:
Comment 1 Lawrence Lim 2008-07-04 05:03:11 UTC 
Created attachment 310991 [details]
alert against virtd_t
Comment 2 Lawrence Lim 2008-07-04 05:11:21 UTC 
Created attachment 310992 [details]
alert to qemu_t
Comment 3 Daniel Veillard 2008-07-07 09:49:48 UTC 
I think this really need to be fixed in the SELinux policies, and since Ovirt
is based on Fedora, that's should be in the Fedora Component. I doubt it should
be processed in the isolation of the Virtualization tools components.
So reassigning,

Daniel
Comment 4 Benjamin Kahn 2008-07-07 14:29:30 UTC 
This is on Fedora 9
Comment 5 Daniel Walsh 2008-07-07 16:17:00 UTC 
This is definitely fixed in selinux-policy-3.3.1-76.fc9 if not earlier.  Please
update to the latest SELinux policy.
Comment 6 Wade Mealing 2008-07-25 01:55:19 UTC 
I also have a getsched avc denial for libvirtd, (also qemu), slightly different
error..

[root@macmini ~]# date
Fri Jul 25 11:52:16 EST 2008
[root@macmini ~]# rpm -q selinux-policy
selinux-policy-3.3.1-78.fc9.noarch

-- meanwhile virt-manager is run and a prebuilt domain is attempted to be started --
 
[root@macmini ~]# tail -f /var/log/messages -n 5
Jul 25 11:51:55 macmini kernel: virbr0: port 1(vnet0) entering disabled state
Jul 25 11:51:55 macmini kernel: device vnet0 left promiscuous mode
Jul 25 11:51:55 macmini kernel: virbr0: port 1(vnet0) entering disabled state
Jul 25 11:51:55 macmini setroubleshoot: SELinux is preventing libvirtd (virtd_t)
"getsched" to <Unknown> (virtd_t). For complete SELinux messages. run sealert -l
575aa5fe-4e1d-4658-b018-0c3c30a775a7
Jul 25 11:52:15 macmini wmealing: test-test
Jul 25 11:52:32 macmini kernel: device vnet0 entered promiscuous mode
Jul 25 11:52:32 macmini kernel: virbr0: port 1(vnet0) entering listening state
Jul 25 11:52:32 macmini kernel: kvm: guest NX capability removed
Jul 25 11:52:32 macmini kernel: kvm: guest NX capability removed
Jul 25 11:52:32 macmini kernel: virbr0: port 1(vnet0) entering disabled state
Jul 25 11:52:32 macmini kernel: device vnet0 left promiscuous mode
Jul 25 11:52:32 macmini kernel: virbr0: port 1(vnet0) entering disabled state
Jul 25 11:52:32 macmini setroubleshoot: SELinux is preventing libvirtd (virtd_t)
"getsched" to <Unknown> (virtd_t). For complete SELinux messages. run sealert -l
575aa5fe-4e1d-4658-b018-0c3c30a775a7

[root@macmini ~]# date
Fri Jul 25 11:52:45 EST 2008
Comment 7 Daniel Walsh 2008-07-25 02:41:22 UTC 
Please send me the complete output from the sealert command
Comment 8 Xiaohong Wang 2008-07-25 09:03:07 UTC 
Updated to selinux-policy-3.3.1-78.fc9.noarch, verified this issue has been fixed.
Note You need to log in before you can comment on or make changes to this bug.